signature.ascDescription: PGP signature
|
| From: | Michael Richardson |
| Subject: | Re: [nmh-workers] Making OpenSSL 1.0.2 minimum version |
| Date: | Thu, 27 Jun 2019 13:12:20 -0400 |
Ken Hornstein <address@hidden> wrote:
> When researching the issue Michael Richardson brought up today, it make
> me realize we really should be calling SSL_set_tlsext_host_name() so we
> send the TLS extension "server name indicator". Which is easy, it's
> literally one line of code. But that makes me ask a larger question: we
> have some autoconf goo to support older libraries (pre OpenSSL 1.0.2)
> that didn't support the function X509_VERIFY_PARAM_set1_host(), and I
> lack the energy to research if SSL_set_tlsext_host_name() exists in
> pre-1.0.2 OpenSSL. I think at this point we should consider OpenSSL
> 1.0.2 the minimum supported version of OpenSSL for nmh. This would
> guarantee we are doing TLS 1.2 everywhere and clean up some #ifdefs.
> Objections?
I concur.
If you have <1.0.2, then you probably don't have useful TLS, and should build
without it.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] address@hidden http://www.sandelman.ca/ | ruby on rails [
signature.asc
Description: PGP signature
| [Prev in Thread] | Current Thread | [Next in Thread] |